WCF RIAとEntity Frameworkのセキュリティはどのように保護されていますか？

Question

私は、バックエンドでWCF RIAとEntity Frameworkを使用するSilverlightアプリケーションを検討していました。 Visual Studioのことで生成されたコードは今

public IQueryable<someEntity> GetSomeEntity() 
{ 
    return this.ObjectContext.someEntity; 
} 

で、認証されたユーザだけが、このWebサービスを呼び出すことができるように、私は適切な認証を置くことを想定しています。私はまた、Sliverlightクライアント上のユーザアクセスコントロールを持っているので、許可されているデータにしかアクセスできません。 Webサービス自体のアクセス制御を実装する以外に、認証されたユーザーによるWebサービス要求の偽装（つまり、Silverlightクライアントのアクセス制御をバイパスする）を停止させる要因は何ですか？

Answer 1

これは、SilverlightでRIAサービスをセキュリティで保護する方法を完全に示したものです。私はそれがあなたを助けることを望む。

Webプロジェクト

書き込みカスタムメンバシッププロバイダ

public class CustomMembershipProvider : MembershipProvider 
{ 
    public override bool ValidateUser(string username, string password) 
    { 
     using(Model.YourDomainModel context = new Model.YourDomainModel()) 
     { 
      var usr = context.Users.Where(u => u.Login == username && 
       u.Password == password).FirstOrDefault(); 

      return usr != null; 
     } 
    } 

    public override string ApplicationName 
    { 
     get 
     { 
      return "Your app name"; 
     } 
     set 
     { 
      throw new NotImplementedException(); 
     } 
    } 

    // Other overrides not implemented 
    #region Other overrides not implemented 
    public override bool ChangePassword(string username, string oldPassword, string newPassword) 
    { 
     throw new NotImplementedException(); 
    } 

    public override bool ChangePasswordQuestionAndAnswer(string username, string password, string newPasswordQuestion, string newPasswordAnswer) 
    { 
     throw new NotImplementedException(); 
    } 

    public override MembershipUser CreateUser(string username, string password, string email, string passwordQuestion, string passwordAnswer, bool isApproved, object providerUserKey, out MembershipCreateStatus status) 
    { 
     throw new NotImplementedException(); 
    } 

    public override bool DeleteUser(string username, bool deleteAllRelatedData) 
    { 
     throw new NotImplementedException(); 
    } 

    public override bool EnablePasswordReset 
    { 
     get { throw new NotImplementedException(); } 
    } 

    public override bool EnablePasswordRetrieval 
    { 
     get { throw new NotImplementedException(); } 
    } 

    public override MembershipUserCollection FindUsersByEmail(string emailToMatch, int pageIndex, int pageSize, out int totalRecords) 
    { 
     throw new NotImplementedException(); 
    } 

    public override MembershipUserCollection FindUsersByName(string usernameToMatch, int pageIndex, int pageSize, out int totalRecords) 
    { 
     throw new NotImplementedException(); 
    } 

    public override MembershipUserCollection GetAllUsers(int pageIndex, int pageSize, out int totalRecords) 
    { 
     throw new NotImplementedException(); 
    } 

    public override int GetNumberOfUsersOnline() 
    { 
     throw new NotImplementedException(); 
    } 

    public override string GetPassword(string username, string answer) 
    { 
     throw new NotImplementedException(); 
    } 

    public override MembershipUser GetUser(string username, bool userIsOnline) 
    { 
     throw new NotImplementedException(); 
    } 

    public override MembershipUser GetUser(object providerUserKey, bool userIsOnline) 
    { 
     throw new NotImplementedException(); 
    } 

    public override string GetUserNameByEmail(string email) 
    { 
     throw new NotImplementedException(); 
    } 

    public override int MaxInvalidPasswordAttempts 
    { 
     get { throw new NotImplementedException(); } 
    } 

    public override int MinRequiredNonAlphanumericCharacters 
    { 
     get { throw new NotImplementedException(); } 
    } 

    public override int MinRequiredPasswordLength 
    { 
     get { throw new NotImplementedException(); } 
    } 

    public override int PasswordAttemptWindow 
    { 
     get { throw new NotImplementedException(); } 
    } 

    public override MembershipPasswordFormat PasswordFormat 
    { 
     get { throw new NotImplementedException(); } 
    } 

    public override string PasswordStrengthRegularExpression 
    { 
     get { throw new NotImplementedException(); } 
    } 

    public override bool RequiresQuestionAndAnswer 
    { 
     get { throw new NotImplementedException(); } 
    } 

    public override bool RequiresUniqueEmail 
    { 
     get { throw new NotImplementedException(); } 
    } 

    public override string ResetPassword(string username, string answer) 
    { 
     throw new NotImplementedException(); 
    } 

    public override bool UnlockUser(string userName) 
    { 
     throw new NotImplementedException(); 
    } 

    public override void UpdateUser(MembershipUser user) 
    { 
     throw new NotImplementedException(); 
    } 
    #endregion 

書き込みカスタムロールプロバイダ

public class CustomRoleProvider : RoleProvider 
{ 
    public override string[] GetRolesForUser(string username) 
    { 
     using(Model.YourDomainModel context = new Model.YourDomainModel()) 
     { 
      string[] roles = (from r in Roles 
          where r.User_name == username 
          select r.Role).ToArray(); 
      return roles; 
     } 
    } 

    public override string ApplicationName 
    { 
     get 
     { 
      return "Your app name"; 
     } 
     set 
     { 
      throw new NotImplementedException(); 
     } 
    } 

    //Other overrides not implemented 
    #region Other overrides not implemented 
    public override void AddUsersToRoles(string[] usernames, string[] roleNames) 
    { 
     throw new NotImplementedException(); 
    } 

    public override void CreateRole(string roleName) 
    { 
     throw new NotImplementedException(); 
    } 

    public override bool DeleteRole(string roleName, bool throwOnPopulatedRole) 
    { 
     throw new NotImplementedException(); 
    } 

    public override string[] FindUsersInRole(string roleName, string usernameToMatch) 
    { 
     throw new NotImplementedException(); 
    }  

    public override string[] GetAllRoles() 
    { 
     throw new NotImplementedException(); 
    } 

    public override string[] GetUsersInRole(string roleName) 
    { 
     throw new NotImplementedException(); 
    } 

    public override bool IsUserInRole(string username, string roleName) 
    { 
     throw new NotImplementedException(); 
    } 

    public override void RemoveUsersFromRoles(string[] usernames, string[] roleNames) 
    { 
     throw new NotImplementedException(); 
    } 

    public override bool RoleExists(string roleName) 
    { 
     throw new NotImplementedException(); 
    } 
    #endregion 
} 

書くあなたのAuthenticationDomainServiceクラス

[EnableClientAccess] 
public class YourAuthenticationDomainService : AuthenticationBase<AuthUser> 
{ 
} 

public class AuthUser : UserBase 
{ 
} 

あなたのDomainServiceにEnableClientAccesを追加し、追加のWeb.Configで役割

に

[EnableClientAccess()] 
public class YourDomainService : DomainService 
{ 
    public YourDomainService() 
     : base() 
    { 
    } 


    [RequiresRole("Role1, Role2")] 
    public IQueryable<someEntity> GetSomeEntity() 
    { 
     return this.ObjectContext.someEntity; 
    } 
} 

を確認してください。

<system.web> 
    <authentication mode="Forms" /> 

    <membership defaultProvider="MyCustomProvider"> 
     <providers> 
      <add name="MyCustomProvider" type="MyProject.Web.CustomMembershipProvider,MyProject.Web" /> 
     </providers> 
    </membership> 

    <roleManager enabled="true" defaultProvider="MyCustomProvider"> 
     <providers> 
      <add name="MyCustomProvider" type="MyProject.Web.CustomRoleProvider,MyProject.Web" /> 
     </providers> 
    </roleManager> 
</system.web> 

SILVERLIGHT

App.xaml.csでApplicationLifetimeObjects

にWebContextを追加

public partial class App : Application 
{ 
    public App() 
    { 
     InitializeComponent(); 

     WebContext context = new WebContext(); 
     context.Authentication = new FormsAuthentication(); 
     ApplicationLifetimeObjects.Add(context); 
    } 
} 

が

LoginDialog.xamlのようなあなたのlogingフォーム/ダイアログ

<Grid x:Name="LayoutRoot" Margin="2"> 
    <Grid.RowDefinitions> 
     <RowDefinition Height="Auto" /> 
     <RowDefinition Height="Auto" /> 
     <RowDefinition Height="Auto" /> 
    </Grid.RowDefinitions> 
    <Grid.ColumnDefinitions> 
     <ColumnDefinition Width="Auto" /> 
     <ColumnDefinition /> 
    </Grid.ColumnDefinitions> 

    <TextBlock Grid.Column="0" Grid.Row="0" Text="Login:" /> 
    <TextBlock Grid.Column="0" Grid.Row="0" Text="Password:" /> 
    <TextBox x:Name="txtLogin" Grid.Column="1" Grid.Row="0" /> 
    <PasswordBox x:Name="txtPassword" Grid.Column="1" Grid.Row="1" /> 
    <Button x:Name="btnLogin" Click="btnLogin_Click" Grid.Column="1" Grid.Row="2" /> 
</Grid> 

LoginDialog.xaml.cs

private void btnLogin_Click((object sender, RoutedEventArgs e)) 
{ 
    LoginOperation loginOp = WebContext.Current.Authentication.Login(
     new LoginParameters(txtLogin.Text, txtPassword.Password)); 
    loginOp.Completed += (s2, e2) => 
    { 
     if (loginOp.HasError) 
     { 
      //HANDLE ERROR 
      loginOp.MarkErrorAsHandled(); 
     } 
     else if (!loginOp.LoginSuccess) 
     { 
      MessageBox.Show("Wrong login or password."); 
     } 
     else 
     { 
      DialogResult = true; 
     } 
    }; 
} 

を書きます